RE: [ws-sx] Issue 31: Clarification for UsernameToken assertion

["Martin Gudgin" <mgudgin@microsoft.com>]

Comments inline. 

Gudge

> -----Original Message-----
> From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> Sent: 16 February 2006 08:08
> To: Martin Gudgin; Marc Goodner; ws-sx@lists.oasis-open.org
> Subject: AW: [ws-sx] Issue 31: Clarification for 
> UsernameToken assertion
> 
> I agree to the comment for the server's point of view. But
> what about the client? MAybe I'm wrong here but my understanding
> of WSP is to define what type of tokens to use, what they are 
> used for (encrypt, signing, etc.), and which elements they contain.

[MJG]
I'm with you on type and usage. I'm unconvinced it's WSP's job to define what elements they contain. I think that's traditionally been the job of a WSS Token Profile.

> 
> In that sense a client that creates a message IMHO needs to
> which elements a Usernametoken shall contains, which type of
> password to use etc. This cannot be defined as it stands today.

[MJG]
The client needs to be able to construct a token that matches the token profile in use. 

If the token profile allows for variation, then the client can choose to send any token that matches the profile and the service should accept it.

Do you have a specific scenario in mind where a service only supports a subset of a WSS Token Profile?


> 
> Regards,
> Werner
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> > Gesendet: Mittwoch, 15. Februar 2006 00:23
> > An: Marc Goodner; Dittmann, Werner; ws-sx@lists.oasis-open.org
> > Betreff: RE: [ws-sx] Issue 31: Clarification for 
> > UsernameToken assertion
> > 
> > Comments inline
> > 
> > Cheers
> > 
> > Gudge 
> > 
> > > -----Original Message-----
> > > From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> > > Sent: 09 February 2006 20:51
> > > To: Dittmann, Werner; ws-sx@lists.oasis-open.org
> > > Subject: [ws-sx] Issue 31: Clarification for 
> UsernameToken assertion
> > > 
> > > This is now logged as issue 31.
> > > 
> > > Marc Goodner
> > > Technical Diplomat
> > > Microsoft Corporation
> > > Tel: (425) 703-1903
> > > Blog: http://spaces.msn.com/mrgoodner/ 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> > > Sent: Thursday, February 09, 2006 12:18 AM
> > > To: ws-sx@lists.oasis-open.org
> > > Cc: Marc Goodner
> > > Subject: [ws-sx] NEW Issue: Clarification for UsernameToken 
> > assertion
> > > 
> > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON 
> > THREAD UNTIL
> > > THE ISSUE IS ASSIGNED A NUMBER.
> > > 
> > > The issues coordinators will notify the list when that 
> has occurred.
> > > 
> > > Protocol:  ws-sp
> > > ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf
> > > 
> > > Artifact:  spec
> > > 
> > > Type: design
> > > 
> > > Title: Clarification for UsernameToken assertion
> > > 
> > > Description:
> > > 
> > > The UsernameToken defines additonal (optional) assertions 
> > that specify
> > > the WSS spec version. IMHO this is not enough to fully specify a
> > > UsernameToken. For example a UsernameToken may have a additonal
> > > elements such as a creation time. The WSS specs do not 
> define in any
> > > way if such elements shall be included or not (some are 
> > > recommended but
> > > no mandated).
> > 
> > [MJG]
> > The assumption is that if you accept, for example, 
> UsernameTokens per
> > WSS 1.0, then you will accept all legal serializations 
> > 
> > > 
> > > Related issues:
> > > none
> > > 
> > > Proposed Resolution:
> > > 
> > > The UsernameToken assertion should be extended to better 
> reflect the
> > > WSS username token elements and attributes.
> > > 
> > > Werner Dittmann
> > > Siemens COM MN CC BD TO
> > > mailto:Werner.Dittmann@siemens.com
> > > Tel:   +49(0)89 636 50265
> > > Mobil: +49(0)172 85 85 245
> > > 
> > 
>